[OpenAFS] tokens at login
lamont@scriptkiddie.org
lamont@scriptkiddie.org
Wed, 27 Apr 2005 12:01:41 -0700 (PDT)
There's a bug in pam_krb5afs where its supposed to lookup the fileserver
that /afs/<cellname> lives and find its realm (from the domain_realm
mapping in krb5.conf) and then try afs/cellname@realm. Under 1.3.x when
it calls the PFindVolume pioctl it only passes in a 4 byte long iob.out in
minikafs_realm_of_cell_with_ctx() that causes a bounds checking violation
in the pioctl code. That error message is from this pioctl call. Prior
to that in 1.2.x, PFindVolume would truncate the result and return the
first IP address of the first fileserver that served the volume. Under
1.3.x pam_krb5afs needs to pass in space for 13 IP addresses into iob.out,
even though it only needs the first one:
#define MAXHOSTS 13 /* max hosts per single volume */
I don't have a particularly clean patch to fix that problem, but I've
mentioned it to the pam_krb5afs maintainer.
This is only part of the algorithm to find the correct realm and
credential which is failing, you might be able to work around it without
patching the code.
On Thu, 7 Apr 2005, Dj Merrill wrote:
> In the logs I get:
>
> Apr 7 11:14:08 galactica sshd[9019]: pam_krb5[9019]: got error -1 (Unknown
> code ____ 255) while obtaining tokens for mytest.dartmouth.edu